2. Themes from IT audits
2.2 Top three themes noted in 2014–15
Based on our analysis of the IT audit findings noted during 2014–15, there were three top themes:
• The management of controls at outsourced IT environments requires attention—the management and oversight of IT controls undertaken by external service providers requires improved governance and oversight.
• The use of IT systems that are at their end-of-life needs to be addressed—
entities are continuing to use IT applications and systems that are approaching the end of the vendor's support cycle.
• IT security controls need improvement—a large number of our IT audit findings relate to IT security control weaknesses.
2.2.1 Management of controls at outsourced IT environments
Our observations
When a public sector entity relies on an outsourced provider or ‘cloud’ service providers to operate and maintain their IT environment, management needs to obtain assurance that the controls implemented and managed by the outsourced provider are operating effectively. Typically, cloud service providers provide their services to the organisation—in the form of software, infrastructure and platform—over the Internet.
By using an outsourced IT arrangement, the entity’s management does not forego its duty to ensure that controls are adequate and that the entity's data and information is protected.
The effectiveness of controls at these outsourced IT environments is typically reported to a public sector entity through a service assurance report such as ASAE 3402 Assurance Reports on Controls at a Service Organisation or AUS 810 Special Purpose Reports on the Effectiveness of Control Procedures. Public sector entities need to request that the outsourced IT provider engage an auditor to perform this work and report back to them. This enables entities to certify their annual financial report and complete the Standing Directions of the Minister for Finance certification.
Themes from IT audits
Consistent with the inaugural Information and Communication's Technology Controls Report 2013–14 (ICT Controls Report 2013–14), there continues to be a noticeable upward trend in the number of service assurance reports being obtained by public sector entities. These reports are relied upon by the public sector entity for attesting to the overall strength of the external providers controls environment and are relied upon by VAGO for our financial audits.
In 2014–15, 13 assurance reports for the IT general controls at outsourced IT environments were provided to VAGO. This compares to 10 in 2013–14, four in 2012–13 and one in 2011–12. This trend is shown in Figure 2A.
Figure 2A
Number of assurance reports relied upon by VAGO for financial audits
Note: Where multiple service assurance reports are prepared for a shared service IT provider such as CenITex, this is counted as one report.
Source: Victorian Auditor-General's Office.
For 2014–15, VAGO actively discussed the control weaknesses identified in these reports with management and audit committees. As part of their obligations of maintaining a sound control environment, VAGO has encouraged management to review these assurance reports with greater rigour and to acquit and take ownership over the weaknesses.
As part of this and as committed to in last year's ICT Controls Report 2013–14, VAGO has commenced reporting on relevant weaknesses arising from assurance reports with the aim of:
• improving overall accountability
• driving the tracking of these weaknesses by management and audit committees
• enhancing remediation of the weaknesses.
Insights and implications
Since first highlighting this theme in the ICT Controls Report 2013–14, there have been some notable changes.
Themes from IT audits
Policy guidance
The Financial Management Act 1994 and the Standing Directions of the Minister for Finance require an entity’s management to maintain an effective internal controls environment.
In our ICT Controls Report 2013–14, we recommended that further policy guidance was required at the whole-of-government level, as a number of agencies did not currently obtain any form of assurance over outsourced controls. During 2014–15, VAGO consulted with the Department of Treasury & Finance (DTF) which led to the publishing of the Key advice update No 1, 2015 - Managing outsourced financial services to provide further guidance to entities utilising such arrangements. Guidance specific to managing outsourced IT arrangements is not available.
Improved management accountability
As described in our ICT Controls Report 2013–14, there was a perception among some public sector entities that in an outsourcing arrangement the risks associated with the control environment are also transferred, which is not the case. In our
interactions with the management of those entities this year, there has been a growing awareness and acceptance of management's responsibilities. This has directly resulted in an increase in the number of service assurance reports received, or other instruments used to obtain assurance.
Worryingly, there remain pockets of limited awareness and acceptance, including high-risk entities, of the risks and responsibilities associated with outsourced arrangements. As a result we will continue to encourage a culture of ownership and responsibility across the public sector.
While there has been a marked improvement in available policy guidance and management accountability over service organisation assurance, these areas still require improvement.
Access to review controls at private sector entities
The current Audit Act 1994 limits the Auditor-General’s ability to directly follow up on the activities and controls of private sector entities, which are increasingly delivering cloud services and outsourced arrangements to the public sector. The Audit Act’s limitations have been a recurring concern, and during 2014–15 VAGO was explicitly denied audit access by a private sector service provider. Figure 2B highlights why there is an urgent need to amend the Audit Act 1994.
Themes from IT audits
Figure 2B
Case study: Audit Act 1994 limitations
During the 2014–15 audit of a public sector entity, the entity's payroll process was evaluated to be material to the financial report. The entity's payroll process utilised a cloud-based application (‘software-as-a-service’).
The cloud-based application vendor had not provided the public sector entity with an assurance report and there was no ‘right of audit’ embedded within the contract between the entity and the vendor. Management similarly did not have any visibility over most of the controls implemented by the vendor.
While the vendor was willing to provide a portion of the information requested to enable VAGO to undertake the audit, key audit evidence, such users access listings to the entity's data, was deemed by the vendor to be commercial-in-confidence, or too sensitive to be released.
Because of the current mandate limitation, we were unable to access the information required to assess the operating efficiency of the controls that prevent and detect payroll errors from occurring. As a result, VAGO was unable to complete an audit of the IT environment and a less efficient approach was undertaken, resulting in unnecessary higher audit costs.
This issue was raised in our management letter as management does not have visibility over, and has not received assurance over, controls operating in this outsourced IT environment as required by the Financial Management Act 1994.
Source: Victorian Auditor-General's Office.
Entities review of the reliability and results of assurance reports
To ensure entities are meeting their obligations under the Financial Management Act 1994, an increased emphasis is needed on assessing the reliability of assurance reports and understanding the impact the issues raised may have on their control environment. Figure 2C details a case study where greater rigour over an assurance report was required during 2014–15.
Figure 2C
Case study: CenITex Service Assurance Program CenITex is a key provider of IT services to a number of in-scope departments and agencies. In addition to the operational activities that it delivers, CenITex also coordinates and manages a service assurance program, which aims to deliver assurance reports prepared in accordance with auditing or assurance standards, dependent on the department or agencies requirements.
During 2014–15 VAGO raised concerns about the quality and reliability of these assurance reports. As a result, we did not place full reliance on these assurance reports and for the purposes of our 2014–15 financial audits, we conducted independent audit testing. This led to delays in finalising the financial reports of the affected departments and agencies, as well as additional audit costs and a delay in finalising this report.
Concerns over the reliability of the assurance reports also led to concerns about whether departments and agencies had sufficiently met their obligations under the Financial Management Act 1994. VAGO requested that management at the departments and agencies undertake additional procedures to assess the overall operation of IT controls, including the reliability of the assurance reports, their findings and any control areas not assessed by the CenITex auditor.
This finding was raised in our management letters to the relevant departments and agencies as these entities have not implemented a sustainable process to ensure that management assesses the reliability of assurance reports and understands the impact of the issues raised in these reports.
Source: Victorian Auditor-General's Office.
Themes from IT audits
Remediation of service organisation control weaknesses
While there has been an increase in public sector entities obtaining service assurance reports, there has been limited monitoring undertaken to ensure that the service organisations are remediating the controls weaknesses identified in a timely manner.
As a result, commencing in 2014–15, we are summarising the relevant audit findings in our management letters and will regularly check that activities to address these control weaknesses are monitored by management.
We identified one instance where a public sector entity was able to hold their service organisation to account and influence it to strengthen certain aspects of its IT control environment—access controls to IT systems and financial data by the vendor's staff have been strengthened.
2.2.2 Use of IT systems that are end-of-life
Our observations
It is essential that public sector entities ensure that their IT systems have appropriate vendor support. ‘End-of-life’ generally refers to when a vendor intends to stop marketing or supporting a piece of IT software or an application. For example, Microsoft Windows XP's extended support ended in April 2014. Vendors typically indicate to their customers in advance when such support arrangements will cease, to enable a smooth transition to current software prior to a programs end-of-life.
Since 2011–12, as part of our audits, VAGO has reported to in-scope entities which of their financial systems are either approaching end-of-life or past their end-of-life. We inform the entities of the risks posed by continuing to utilise such applications, including new security weaknesses not being fixed by the vendor. Due to the length of time required to implement large scale IT systems, VAGO's approach has always been to flag such issues early and to encourage awareness and proactive remediation activities.
Of particular concern, in 2014–15, was the limited progress by entities in upgrading end-of-life systems. We found audit findings relating to IT systems approaching end-of-life or past their end-of-life at 53 per cent of our in-scope entities. The majority of these 34 end-of-life audit findings were related to key financial systems, including Oracle Financials. Findings also related to software on users' desktops computers, such as Windows XP.
Themes from IT audits
Insights and implications
Our analysis of these findings identified the following issues.
Whole-of-Victorian-Government enterprise resource planning re-implementation
Following the November 2014 change of government and subsequent January 2015 machinery-of-government changes, a project to review and implement a
whole-of-Victorian-Government enterprise resource planning (ERP) system was suspended. As a result, the financial systems for many in-scope entities are either approaching end-of-life or are past their end-of-life. Given the current situation and the time required to implement an ERP system, this issue is expected to remain
unresolved for some time.
Cost of maintaining obsolete software
As an interim measure, a number of public sector entities have entered into customised contractual arrangements with vendors for the support of obsolete IT software. These arrangements typically come at a significant cost and some vendors increase the cost over time as the use of the program declines globally. As an example, a one-year custom support arrangement for Microsoft Windows XP was renewed by a department in April 2015 at a cost of $2.37 million.
2.2.3 IT security controls need improvement
Our observations
Our IT security findings relate to the following IT general controls categories:
• user access management
• authentication controls
• audit logging and monitoring of IT environment
• patch management
• other IT general controls, including malware protection, penetration testing, physical and environment controls, security and architecture and end-of-life.
IT security issues account for 68 per cent of our 2014–15 audit findings. This is a nominal increase of 1 per cent on the prior year and once again highlights the need for a continued focus on remediating IT security weaknesses.
Most notably, in 2014–15 we have reported an extreme-risk rated audit finding relating to authentication and password controls at one entity. This is detailed in Figure 2D.
Insights and implications User access management
As described in Part 3 of this report, user access management is the most prevalent issue, accounting for nearly 30 per cent of all our findings. Nearly all in-scope entities have user access management audit findings, which is consistent with the findings of our ICT Controls Report 2013–14.
Themes from IT audits
Public sector entities need to continuously improve the process of managing system access. There are three root cause of user access management control weaknesses:
• Poor understanding of access provided—it is common for VAGO to find user accounts for terminated staff not being disabled or removed. While this can be categorised as an oversight, it is ultimately due to a poor understanding or poor documentation of the access provided to the user, or is due to poor process design. 'Single sign-on' systems can help reduce such issues, and are in place at many in-scope entities, but our findings indicate that this does not solve the problem. A process of systematically recording account ownership and all the system accessible to each staff member is key to ensuring that they are subsequently removed when no longer required.
• The ‘human factor’ and manual intervention—human oversights are likely the reason why access remained on systems after a staff member resigns or no longer requires that access. Such oversights are often related to appropriate parties not being notified when a user changes roles. While it is not possible to completely eliminate the ‘human factor’, how user access is managed can be heavily influenced by well-defined policies, procedures and processes, by an organisation's culture and tone from the top, and by monitoring controls.
• Inadequate periodic reviews—the intent of periodic reviews is to validate user access to systems on an ongoing basis and ensure that this is aligned with business needs. Where not aligned, the access should be modified accordingly.
This often works as an independent control in combination with existing process controls. More often than not, periodic reviews are conducted by management but are not sufficiently effective to eliminate instances of excessive access provided. In some instances, periodic reviews only focused on certain elements of the IT infrastructure, resulting in control limitations.
Victorian Government IT security standards
In November 2013, a number of IT security standards were published to take effect from 1 January 2014. Some of these standards relate to identity and access
management (IDAM), providing specific guidance on password controls and bringing the overall Victorian IT control framework into alignment with better practices and applicable Commonwealth standards such as the Australian Government Information Security Manual.
While compliance with the Victorian Government's Identity and Access Management (IDAM) Standard 03 – Strength of Authentication Mechanism v1.0 is mandatory for all departments and 11 audited agencies, our IT audits found a large number of issues related to password controls. Typical audit findings include:
• entities which have not updated their password policies and procedures to reflect the standard's requirements
• password settings implemented on in-scope systems did not comply with the standards.
Themes from IT audits
This is disappointing given that the Victorian Government IT security standards have been in effect for the full financial year, and agencies have had time to develop an implementation plan.
Through our interaction with management, we believe that there is a general lack of awareness of the Victorian Government IT security standards. Going forward and recognising that there may be changes introduced by the Commissioner for Privacy and Data Protection, VAGO intends to further assess entities compliance with the Victorian Government IT security standards.
At one of our audited entities, we found an extreme risk surrounding authentication controls, which is not consistent with Victorian Government IT security standards. This example is detailed in Figure 2D.
Figure 2D
Case study: Extreme risk surrounding authentication controls A public sector entity was found to have password management policies and configurations that are not consistent with Victorian Government IT security standards. Ordinarily, such an audit finding would be rated as high risk, however, this case was rated as an extreme risk based on the sensitive and confidential nature of the data that is stored by the entity.
Our review identified that the entity's password management policies are either silent on a number of key password requirements, or the requirements were not strong enough. Audit testing identified numerous instances where the system password configurations were neither aligned with the Victorian Government IT security standards, nor aligned with approved internal standards.
We have highlighted these audit findings for the attention of IT senior management and the audit committee, with responses from both parties being positive and encouraging. Given its risk rating, management expedited the implementation of our audit recommendations.
Source: Victorian Auditor-General's Office.
Recommendations
That the Commissioner for Privacy and Data Protection provides education and 1.
training to relevant entities on the requirements of the Victorian Protective Data Security Standards—once issued.
That the Department of Premier & Cabinet monitors and reports the status of 2.
information technology obsolescence risks at departments and public sector agencies.
That public sector entities’ governing bodies and management:
enhance management's understanding of their Financial Management Act 1994 3.
and Standing Directions obligations, and ensure:
•
assurance reports received for outsourced information technology environments are reliable and fit-for-purpose•
exceptions raised in assurance reports are assessed for the impact they may have on the entity's control environment.Themes from IT audits
Recommendations – continued
That public sector entities’ governing bodies and management:
manage the continuity of vendor support for systems approaching end-of-life, 4.
including its upgrade or migration to fully supported solutions. Where possible, entitles should work collaboratively to address information technology
obsolescence risk across the public sector
implement appropriate governance and monitoring mechanisms to ensure:
5.
•
information technology audit findings are addressed by management•
sustainable process improvements, to prevent future recurrencealign information technology control frameworks to relevant Victorian Government 6.
information technology security standards.